Yes, Virginia, There Really is Social Engineering

I just got yet another email from my bank. Or, at least it looked like the bank that had issued one of my credit cards. The email included my correct name and mailing address, as well as a variety of other quality information such as the last four digits of my credit card number. This may not seem like it is great information, but I regularly change details in my name for accounts, such as using different middle initials, including or omitting part of my first name, or using one of the three different street addresses that will get mail delivered to my home. So when someone gets it all correct, it really is a big deal to me.

According to the email, I needed to log on (yes, convenient link included) and check a fraud alert that was being issued on my credit card by my bank because of "suspicious activity". Again, this did make some sense, because this account was compromised last December, and I do have fraud triggers set to alert via email and SMS. Despite the fact that I pretty much always view these emails as suspicious, all in all, it seemed like the type of email that I might not want to ignore.

Except...

Except for the fact that the email came to a valid email address which I have never registered with this particular bank. Oddly enough, I have seen this with increasing frequency, and have received both Facebook and LinkedIn notifications with friend/connect requests - with people I actually know - but, both sent to email addresses which I have never registered with Facebook or LinkedIn.

Social Engineering?

Getting a few emails do not necessarily mean I am in the middle of a “Social Engineering” attack. The catch here is that the emails contained real information that could only be gathered if someone was working it, so I tend to look a little beyond “random phishing”. The sender had good information.

A more recent complexity in social engineering is the use of this type of good information in an Advanced Persistent Threat (APT). In this role, social engineering is used in concert with other attack vectors. This is partially what makes an APT "advanced". Information gathered from social engineering is used to target technical attacks, and in turn, information from technical attacks is used to help target further social engineering attacks as an attacker learns more about a set of individuals as well as the entire organization. This includes technical attacks like intrusion attacks, application attacks, war dialing and wireless attacks, among others.

The availability of information from public sources like social media allows online research about specific people to be very targeted, further enabling even more specific social engineering attacks.

Part of the social engineering attacks that are the most dangerous are those attacks that will also try to get targets to execute malicious links or applications, potentially installing malware like key loggers or software that supports remote control. You may recognize a random external email attacks that include a virus or a malicious link. But, how would you respond to an email from your daughter's college that appears to claim she was being ejected, or an email from a well-known pharmaceutical company that announced recently discovered potentially fatal side effects of a prescription drug that you are currently taking? Bet those would get your attention, eh? Personal attacks like this which are tailored to a specific individual have become more common, and we should expect this trend to continue. It's not just about the business any more.

Can We do Anything About It?

Since there is no such thing as a personal firewall to help filter out attacks, the single best thing you can do to minimize the chances of a successful social engineering attack is proper awareness. At the same time, some technical controls can help. I have no “magic list” of five things to do, and I know 18 “controls” can look like a daunting task, but any or all of these things can help reduce the chances of a successful social engineering/phishing attack. Even starting with one thing that you are currently not doing can help.

1. You should know that social engineering attacks exist. You should also know that attackers are interested in getting personal information as well as corporate information, and that individuals may be attacked through any phone, email or social media account - both work and personal - since personal knowledge can help make targeted attacks more successful.

2. You should be very careful about the type of information you leave in your voicemail greeting. A good default is to leave your first name, and state that you will return the call, without identifying your group.

3. “Extended absence” messages may be necessary, but should be used with care. You might consider leaving a “fake” alternate contact name so that a coworker can easily identify that the call came from your out-of-office message. If you are going to be out and you want callers to reach “Betty Brown” for assistance in your absence, you might leave an outgoing message that says “Beth Brown” instead of “Betty Brown”. Then, when a caller asks for “Beth”, Betty will actually know that this call came as a result of your out-of-office message. (As long as you actually tell Betty...)

4. To help minimize the ease with which an attacker can identify valid email addresses at your organization, your email server should be configured so that it does not respond to inbound invalid addresses.

5. Make sure that corporate email addresses have little to no relationship with the employee’s user ID. Never make the name in your email address the same as the user ID you use on your internal network. If the user ID that you use to log onto your corporate network is bsmith, do not make your corporate email address bsmith(at)yourcompany.com.

6. You should be filtering attachments on your email, and removing attachments with potentially hostile contents, such as executable files. Distributing Trojan horses or viruses via email is a common attack technique.

7. Be aware of company specific jargon. Anyone who uses improper or general information about your company can be regarded as an outsider. Maybe you work for Big Green International Company, but everyone calls it “GI”. Using incorrect terminology is a clue that a call may not be genuine. I once did work for a company that had people in a building commonly known as “The Page Building”, since it had “Page” on it in big red letters. I found out that internally, the company called it “Building 216”. On subsequent calls, I referred to it as “Building 216” and got immediate credibility because I knew the lingo.

8. Someone who acts irate, or angry and attempts to rush you through a questionable process should be regarded as suspicious. Bullying someone is a common technique to keep a target off balance. And, yes, it does work – I have used it myself.

9. Many (not all!) data gathering emails come from temporary, or “throw away” accounts, such as an account at gmail or yahoo, among others. Your staff should be aware that there are a number of reasons an attacker would like to clearly identify valid email addresses and that your staff should consider this in all external responses. (For the exact same reason that you don't press "1" when “Rachel from Cardholder Services” calls, because then they will NEVER... STOP... CALLING...)

10. Your company should not use or allow the use of external web-based email accounts through the normal course of your business. Do not let employees get used to seeing official email from such accounts (like @gmail.com instead of @yourcompany.com).

11. Some phone systems have the ability to generate different ringtones for an internal call and an external call. For instance, a user might hear a single long ring if the phone call originated from outside the building, and two short rings if the call originated from within the building. Employees should always be aware of whether the call they received is an external call or an internal call. If they get a call with one long ring (from outside the building), and the caller identifies themselves as corporate IT needing information this might be a little suspicious.

12. Your employees should know that no one from corporate IT (or anyone else) would ever call them and ask for their password. Simply put, no employee should ever divulge his or her password to anyone else. Never.

13. You should maintain an accurate and current employee directory with phone numbers. Anyone receiving a suspicious call can ask the caller who they are and consult the phone directory for the name and phone number.

14. Dispose of sensitive material in an appropriate manner. Either use an office shredder, or contract with a reputable “secure disposal” company to dispose of sensitive information for you. Yes. "dumpster diving" is real, does happen and does work.

15. The help desk can take steps to reduce the number of invalid password resets and snooping attempts.

a. If a user calls from an outside number, the help desk’s first response should always be to consult a corporate phone directory for an official work, mobile or home phone number to return the user's call. Any number not on the list should be considered suspicious.

b. The help desk should verify the employee’s full name, with proper spelling, phone extension, department or group. You are trying to add enough information that an attacker would have to be very prepared for the request.

c. The help desk should ask the caller for a number at which they can call the user back, regardless of from where the user is calling. A call from anyone who will not provide a callback number should be considered an attack.

d. You may consider having the help desk leave a user’s new password in the employee’s corporate voicemail. A valid user should have no trouble retrieving the password. An attacker would have to compromise the voicemail system to get access to the password.

16. If you are being asked to release or reveal something that is clearly sensitive, such as your strategic plan, passwords, pre-release earnings, source code and other such internal information, it should be automatically regarded as suspicious.

17. See number 12.

18. You should have a plan for how you will communicate internally if you identify that a social engineering attack is taking place against your company. Does every employee get an email stating that an attack is in progress, and that everyone should exercise additional care? Who should send the email, and what is the final triggering event before a company-wide alert is distributed?

Conclusion

A good social engineer can extract sensitive internal information very quickly, and can then help ensure they make the best use of that information to further additional attacks. Knowing this, you should understand that a social engineering attack can happen at any time. They don’t happen because you have poor security, they happen because someone else decided you were a target.

Jon-Louis Heimerl is Director of Strategic Security for Omaha-based Solutionary, Inc., a provider of managed security solutions, compliance and security measurement, and security consulting services. Mr. Heimerl has over 25 years of experience in security and security programs, and his background includes everything from writing device drivers in assembler to running a world-wide network operation center for the US Government. Mr. Heimerl has also performed commercial consulting for a variety of industries, including many Fortune 500 clients. Mr. Heimerl's consulting experience includes security assessments, security awareness training, policy development, physical intrusion tests and social engineering exercises.